BSOD Windows 7 x64

A

alirazaa

Member
Joined
Jun 6, 2014
Posts
7
Hi,

one of my user complaint about the BSOD this morning. this is what is found in minidump. I was wondering if someone could tell me what is causing the issue.

Code: 
Microsoft (R) Windows Debugger Version 6.11.0001.402 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Loading Dump File [E:\Minidump\Claire\090414-17550-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: SRV*c:\symbols*[url]http://msdl.microsoft.com/download/symbols[/url]
Executable search path is: 
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18409.amd64fre.win7sp1_gdr.140303-2144
Machine Name:
Kernel base = 0xfffff800`02c09000 PsLoadedModuleList = 0xfffff800`02e4c890
Debug session time: Thu Sep  4 13:49:36.741 2014 (GMT-4)
System Uptime: 0 days 5:31:36.880
Loading Kernel Symbols
...............................................................
................................................................
...........................................................
Loading User Symbols
Loading unloaded module list
.................
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
Use !analyze -v to get detailed debugging information.
BugCheck 3B, {c0000005, fffff80002f6acfe, fffff88006fa5110, 0}
Probably caused by : win32k.sys ( win32k!xxxClientExtTextOutW+219 )
Followup: MachineOwner
---------
0: kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff80002f6acfe, Address of the exception record for the exception that caused the bugcheck
Arg3: fffff88006fa5110, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
------------------

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP: 
nt!KeUserModeCallback+62
fffff800`02f6acfe 488bb780010000  mov     rsi,qword ptr [rdi+180h]
CONTEXT:  fffff88006fa5110 -- (.cxr 0xfffff88006fa5110)
rax=fffffa8006b68640 rbx=0000000000000001 rcx=0000000000000046
rdx=fffffa8006b68640 rsi=fffff900c0600fa0 rdi=0000000000000000
rip=fffff80002f6acfe rsp=fffff88006fa5af0 rbp=0000000000000002
 r8=0000000000000010  r9=fffff88006fa5c30 r10=00000000000000a0
r11=fffff88006fa5bd8 r12=ffffffff9901152b r13=0000000000000080
r14=fffff88006fa5c30 r15=0000000000000002
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!KeUserModeCallback+0x62:
fffff800`02f6acfe 488bb780010000  mov     rsi,qword ptr [rdi+180h] ds:002b:00000000`00000180=????????????????
Resetting default scope
CUSTOMER_CRASH_COUNT:  1
DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULT
BUGCHECK_STR:  0x3B
PROCESS_NAME:  csrss.exe
CURRENT_IRQL:  0
LAST_CONTROL_TRANSFER:  from fffff960001ad39d to fffff80002f6acfe
STACK_TEXT:  
fffff880`06fa5af0 fffff960`001ad39d : 00000000`00000046 fffff880`06fa5cc0 00000000`00000001 fffff900`c0600fa0 : nt!KeUserModeCallback+0x62
fffff880`06fa5b70 fffff960`001cad07 : ffffffff`9901152b ffffffff`9901152b fffff960`003475cc 00000000`ffffff8f : win32k!xxxClientExtTextOutW+0x219
fffff880`06fa5ef0 fffff960`000a9eb6 : fffff900`c01de050 00000000`0000012c 00000000`00000000 fffff900`c0600fa0 : win32k!xxxTooltipRender+0x163
fffff880`06fa5f50 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : win32k!xxxTooltipWndProc+0x31e

FOLLOWUP_IP: 
win32k!xxxClientExtTextOutW+219
fffff960`001ad39d 448bf8          mov     r15d,eax
SYMBOL_STACK_INDEX:  1
SYMBOL_NAME:  win32k!xxxClientExtTextOutW+219
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: win32k
IMAGE_NAME:  win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP:  53c5df64
STACK_COMMAND:  .cxr 0xfffff88006fa5110 ; kb
FAILURE_BUCKET_ID:  X64_0x3B_win32k!xxxClientExtTextOutW+219
BUCKET_ID:  X64_0x3B_win32k!xxxClientExtTextOutW+219
Followup: MachineOwner
---------
0: kd> .cxr 0xfffff88006fa5110
rax=fffffa8006b68640 rbx=0000000000000001 rcx=0000000000000046
rdx=fffffa8006b68640 rsi=fffff900c0600fa0 rdi=0000000000000000
rip=fffff80002f6acfe rsp=fffff88006fa5af0 rbp=0000000000000002
 r8=0000000000000010  r9=fffff88006fa5c30 r10=00000000000000a0
r11=fffff88006fa5bd8 r12=ffffffff9901152b r13=0000000000000080
r14=fffff88006fa5c30 r15=0000000000000002
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!KeUserModeCallback+0x62:
fffff800`02f6acfe 488bb780010000  mov     rsi,qword ptr [rdi+180h] ds:002b:00000000`00000180=????????????????
 
Last edited by a moderator:
Hi Jared,

Thank you very much for your reply with instructions. the laptop i have is my company's laptop and have some confidential stuff and can't be published on the site.
could you please give me some hint about the possible area of problem.

regards,
Aley
 
Without dump files it's difficult to tell.
Can you open the Kernel dump file and run
Code: 
!analyze -v
on it then post it in BB code in your next reply.
It's the # button.

There isn't anything private (apart fom the programs installed) published in a dump file so you're okay to upload it.

The Kernel memory dump is located in
Code: 
C:/Windows/MEMORY.dmp
 
It's much harder to tell without a Kernel memory dump but I think it'll do for now.
Well we have our usual 0x3B...

Code: 
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: [COLOR="#FF0000"]00000000c0000005[/COLOR], Exception code that caused the bugcheck
Arg2: fffff80002f6acfe, Address of the instruction which caused the bugcheck
Arg3: fffff88006fa5110, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

We have our access violation which means memory being referenced couldn't be physically understood by the CPU as it just doesn't exist.

Code: 
0: kd> .cxr 0xfffff88006fa5110;r
rax=fffffa8006b68640 rbx=0000000000000001 rcx=0000000000000046
rdx=fffffa8006b68640 [COLOR="#800080"]rsi=fffff900c0600fa0[/COLOR] [COLOR="#FF0000"]rdi=0000000000000000[/COLOR]
rip=fffff80002f6acfe rsp=fffff88006fa5af0 rbp=0000000000000002
 r8=0000000000000010  r9=fffff88006fa5c30 r10=00000000000000a0
r11=fffff88006fa5bd8 r12=ffffffff9901152b r13=0000000000000080
r14=fffff88006fa5c30 r15=0000000000000002
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
nt!KeUserModeCallback+0x62:
fffff800`02f6acfe 488bb780010000  mov     [COLOR="#800080"]rsi[/COLOR],qword ptr [[COLOR="#FF0000"]rdi+180h[/COLOR]] ds:002b:[COLOR="#FF0000"]00000000`00000180[/COLOR]=????????????????

Here we can see why, it tried to move a pointer stored in the rsi register to an address calcuated by adding the values of the rdi register (null) and 180 resulting in a memory write to 0x180 which is cearly invalid as the first addresses that exist I believe are 0x10000but even they are reserved for uder mode boot processes.

This is normally caused by drivers using bad instruction pointers, 0x3B is normally caused by display drivers.
win32k.sys is calling these functions, this is the windows subsystem device driver which handles most if not all graphic display operations so it's not surprising if the display driver is at fault.

Lets take a look at some information about it.

Code: 
[COLOR="#FF0000"]igdkmd64[/COLOR]	fffff880`05834000	fffff880`063e63c0	[COLOR="#FF0000"]Mon Mar 07 04:52:16 2011 [/COLOR](4d746480)	00bbfd53		igdkmd64.sys

Well the fact that it's over 3 years old means it would be a likely cause of issues.
I suggest you update it here:

https://downloadcenter.intel.com/default.aspx
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top